package com.bb.blog.security.resource;

import com.bb.blog.security.common.CommonAccessDeniedHandler;
import com.bb.blog.security.common.CommonAuthenticationEntyPoint;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;

public class BaseResourceServerConfig extends WebSecurityConfigurerAdapter {

    @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri:}")
    String jwkSetUri;

    @Value("${spring.security.oauth2.resourceserver.opaquetoken.introspection-uri:}")
    String introspectionUri;
    @Value("${spring.security.oauth2.resourceserver.opaquetoken.client-id:}")
    String clientId;
    @Value("${spring.security.oauth2.resourceserver.opaquetoken.client-secret:}")
    String clientSecret;

    @Autowired
    OpaqueIntrospectorClient opaqueIntrospectorClient;


    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .oauth2ResourceServer(
                oauth2ResourceServer -> {
                    oauth2ResourceServer
                        .accessDeniedHandler(new CommonAccessDeniedHandler())
                        .authenticationEntryPoint(new CommonAuthenticationEntyPoint());
                    if (StringUtils.isNotBlank(jwkSetUri)) {
                        oauth2ResourceServer.jwt();
                    } else {
                        oauth2ResourceServer
                            .opaqueToken(opaqueToken ->
                                opaqueToken
                                    .introspector(opaqueTokenIntrospector())
                            );
                    }
                }


            );
        http.csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .exceptionHandling()
            .accessDeniedHandler(new CommonAccessDeniedHandler())
            .authenticationEntryPoint(new CommonAuthenticationEntyPoint());
//            .and().sessionManagement().sessionAuthenticationFailureHandler(new CommonFailureHandler());


    }

    @Bean
    JwtDecoder jwtDecoder() {
        if (StringUtils.isNotBlank(jwkSetUri)) {
            return NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).build();
        }
        return null;
    }


    public OpaqueTokenIntrospector opaqueTokenIntrospector() {
        return new BbOpaqueTokenIntrospector(opaqueIntrospectorClient);
    }
}
